PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

Real World Defense Strategies

- for -

Targeted Endpoint Threats

2PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

Agenda

• Advanced Persistent Threats (APTs)• Targeted Threats Trends• Targeted Threats Framework• Defense in Depth• Q & A

PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION3

Advanced Persistent Threats

Real? Or vender hype?What’s your perspective …

»Something new?

»Merely marketing hype?

»Limited to large companies?

»All about China?

»APT = Malware?

PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION4

Targeted Threat Concerns

Ponemon Research: 2013 State of the Endpoint

ISACA Research: Advanced Persistent Threats Are Real» 93.6% feel APTs are a serious threat» 63% think it is only a matter of time» 79% feel this is the largest gap in APT prevention» 1 in 5 have experienced an APT attack

47%36%

36%24%24%

22%23%

13%

Figure 4: IT security risks of most concern since 2010More than three choice permitted in 2010 and 3 choices permitted in 2011 and 2012

Increased use of mobile platforms

Advanced persistent threats

Intrusion and data loss within a virtual environment

2012 2011 2010 * This choice was not available in all fiscal years

*

Targeted Threat Trends

Targeted Attacks by Organization Size

6PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

Source: Symantec

50%In 2012

31%In 2012

5%3%2%

93%

External Actors Responsible for Majority of Attacks

7PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

Source: Verizon 2013 databreach

Healthcare – Most frequent data breaches

8PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

Targeted Threats - Top 10 Industries Attacked in 2012

9PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

Source: Symantec

Threat Environment – Threat Trends

• User endpoints are consistently targeted» 71% of attacks targeted user devices – Source Verizon

Common APT Characteristics

11

• Highly targeted and endpoint-focused• Uses both sophisticated and low-tech techniques

» Delivery: USB keys, social engineering, watering hole, etc.» Zero-day vs. “known” vulnerabilities» Fraudulent certificates

• Centralized Command and Control• Undetected for prolonged periods

» Exfiltration masking» “Hiding in plain sight”

11PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

Targeted ThreatFramework

13PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

Targeted Threat Framework

PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

Discover

14

» Identify the Target

» Plan for Penetration

» Probe the Perimeter

Essentially “casing the joint”

PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

Distribute

15

» Package the Payload

» Deliver the Payload

Design and develop not only the payload but delivery vehicle

PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

Exploit

16

» Trigger the Payload

» Exploit the Vulnerability

Activation may not be immediate, and may involve multiple vulnerabilities

PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

Control

17

» Install Malware on System

» Connect Back to Attacker

» Command & Control

Often involves encrypted communications channel and manual interaction

PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

Execute

18

» Upset the CIA Triad • Confidentiality

• Integrity

• Availability

» Obfuscate and Extend

Taking action against planned objectives

19PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

Targeted Threat Framework

Phase Detect Deny Disrupt

Discover Web analytics Firewall ACL

Distribute Vigilant end user Web filteringSpearfish detection

AV

Exploit Vigilant end user White listingMemory protectionPatch Management

Sandboxing

Control Next gen FWNIPS

FW ACLNIDS

DNS

Execute SIEMAudit Logs

Defense-in-Depth

PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

Defense-in-Depth Strategy

21

Successful risk mitigation starts with a solid vulnerability management foundation, augmented by additional layered defenses which include:

» Configuration Control

» Application Whitelisting

» Memory Protection

» Data Encryption

» Port / Device Control

» Antivirus

Patch and Configuration Management

Application ControlMemory Protection

DeviceControl

AV

Hard Drive andMedia Encryption

Endpoint Defense-in-Depth

22PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

Con

figur

atio

n M

anag

emen

t

Pat

ch M

anag

emen

t

Ant

i-Mal

war

e

Por

t /

Dev

ice

Con

trol

DataEncryption

Network Access Physical Access

Additional Information

23PROPRIETARY & CONFIDENTIAL - NOT FOR PUBLIC DISTRIBUTION

• For End User Education» “Be Aware of What You Share” at

www.lumension.com/be-aware

• For Security Pros (www.lumension.com/Resources)» Whitepaper “The State of APT Preparedness” from UBM

Tech at ~/WhitePapers/The-State-of-APT-Preparedness» On-Demand Webcast “Top 9 Mistakes of APT Victims” by

Ultimate Windows Security at ~/Webcasts/Top-9-Mistakes-of-APT-Victims

• More on APT issues and solutions in Optimal Security blog at blog.lumension.com/tag/advanced-persistent-threat/

Q & A

Global Headquarters8660 East Hartford Drive

Suite 300

Scottsdale, AZ 85255

1.888.725.7828

info@lumension.com

http://blog.lumension.com